Physician Office Presentation


Published on

Training slide show for staff awareness

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Physician Office Presentation

  1. 1. Securing Data at a Physician’s PracticeA guide to keeping your healthcare data safe and secure
  2. 2. Agenda1 Common terms2 Why we need to secure data in Healthcare3 Where to start4 Security Awareness Program5 Password discussion6 Keep your data safe – data protection 1017 More recommendations – data protection 102
  3. 3. Common termsYou will recognize these terms when they come across your desk•Password A string of characters used to authenticate yourself (usually) to a computer - Used to authenticate (user name is used for identification). - Can also use a PIN# (after a password has been entered.)•Encryption A way to transform plain text into unreadable material. - Purpose is to hide the plain text from non-authorized agents/readers - Need a key to encrypt and decrypt the message•HIE / Remote Access / Patient Portal This is the main way SJH make our data available to Offices and Physicians - Health Information Exchange – This is the recommended way to connect to our database - Netilla - Patient Portal•ePHI Electronic Protected Health Information Any PHI created, stored or transmitted elctronically•Phishing Method for hackers to gather information about you - email containing links - websites containing links•Social Engineering Manipulation of people to get information from them or to get them to perform certain actions. - Many ways
  4. 4. Data A little of everything Should be classified: secret, confidential, private Data and public – depending on the classification, it may require to be encrypted … This is where the data is being moved fromin motion - 1 closet to another - 1 computer to another - From the file closet to the consult room - Etc… This is where the data is stored - In a file closet At rest - In the main file server - On the computer desktop - In the computer memory - Etc… Your Logo
  5. 5. Why we need to secure data in HealthcareSo many reasons, so little time … If you haven’t, act now!Government regulation Your patient data is under attack 1 HIPAA – Health Insurance Portability and 2 Healthcare Data is extremely valuable. Accountability Act. But it is vulnerable – It is just sitting there. HITECH – Health Information Technology It cannot defend itself so you have to for Economic and Clinical Heath is part of protect it. ARRA of 2009 (American Recovery and Physical risks Reinvestment Act) – Also called HIPAA Software risks with teeth because it implements Latest trend - Blackmail enforcement.Loss of business – Financial consequences Reputation 3 Data is extremely important to medicine – 4 You could lose the trust of the patients Chart, computer records, … You could lose the trust of the physicians Medical Identity Theft Reputation of the office is key You may have to close the office during an investigation Loss of income for employees if office is closed Your Logo
  6. 6. Physical Safety is importantTake care of your equipment! Your Logo
  7. 7. Physical RisksAgain, there are so many risks • Fire • Floods • Equipment Failure • Theft • … Your Logo
  8. 8. Other Technical RisksMore risks !!!! • Hacking • Phishing • Viruses and Malware • Blackmail • Misconfiguration • … Your Logo
  9. 9. Where to startWhy not with the weakest link? Weakest link, you said ??? 3 Google – Many Definitions: In Information Security, employees 1 are the weakest link. Why? Social Engineering: “art of manipulating people into performing actions of divulging confidential information.” People want to trust each others “act of manipulating a person to accomplish goals that may or may not be in the target’s This is a characteristic that we all 2 have. We want to trust others. This best interest. is where “Social Engineering” comes This translates into deception either over the in. phone, in person, via a computer or any other ways. It includes obtaining information, Necessary steps gaining access or getting the target to take Background checks certain actions. 4 Good Policies and Procedures Information Security Awareness Program Doctors must lead by example Password – complex and change regularly (3 months) Access codes should be changed when an employee leaves (recover keys ...) Your Logo
  10. 10. Security Awareness Program Teach any chance you getStarts with the Hiring Process Repeat every year Teachable moments 1 It starts during the Hiring 2 Repeat the program every 3 tEvery chance you get, process. You should have year and document that you reinforce the training and a section of your GEO did. the concepts. Look for dedicated to Information Test the employees those “moments”. Security. Keep it simple Use what is readily Make everyone sign an available on the web – agreement to keep userID Google Information Security and PASSWORD awareness confidential Be creative with passwords (more later) Your Logo
  11. 11. PasswordsComplexity can be bad! Your Logo
  12. 12. Passwords Don’t like them but that is all we have right now. Why we do not like them (can be shared too easily …)✓ 1✓ 2 Change your password regularly✓ 3 Do not reuse or use the same password for multiple apps✓ 4 Complexity while required should be used with caution✓ 5 Components, rules and examples of complex passwords✓ 6 Passwords alternatives – tokens …✓ 7 Use these recommendations for home (personal accounts) Your Logo
  13. 13. Security vs. UsabilityThis is always a struggle! Your Logo
  14. 14. Keep your data safe and secure Data Protection 101 Do not leave paper charts, USB, CDs etc … laying around the office1 Use complex passwords to authenticate to the computer system23 Do not use generic accounts (no accountability). A patient could ask to see a log of who had access to his data Review access and privileges regularly (privilege transfer …) at least once a year and audit yourself.4 Know where your data is (map it) and classify it if you can (ePhi is classified as confidential by default) Consider5 data flows (data in transit) Back up your data – you may need to restore it in the event of a disaster or even data corruption. Review your6 backup strategy (When, What …). Test your backups – restore a randomly chosen file once a month.7 Encrypt your data – if necessary. This means during transit and when it is stored in a location you do not control (USB key, CD, cloud, …) Your Logo
  15. 15. More recommendations Data Protection 102 Use an Information Security Professional or at least an IT Professional. They have the experience and should1 guarantee their work. Ask for references and Healthcare experience. Incorporate Redundancy and Fault Tolerance in your designs (computers, servers, networks – wired and wireless)2 so that you always have a safe and secure access to your data.3 Think about BYOD – secure access, easily stolen, encryption is necessary … Do a DRP test yearly. Get with a local business who will let you use their facilities in the event of a disaster4 Keep your servers patched to the latest level. Do not forget the patching of databases (SQL …). Do not forget to5 turn on the security features in your “certified software”. Do not trust the vendor to do this. You have to initiate! Remote access should be secured via encryption, passwords, dual factor authentication...67 Don’t forget that your data could be on some hardware you are getting rid of … PC, server, copier, … if you encrypt, you are OK. Your Logo
  16. 16. More recommendations Data Protection 102 - continued Make sure your PCs auto logoff or use password protected screen savers1 Use computer privacy screen filters for the computers placed if full view of the public23 Deactivate USB ports and CD writers to prevent unauthorized copy of ePHI – Discuss DLP with a professional If you want to communicate with patients, use a portal instead of email. Email is NOT secure.4 Save the logs of who is accessing which record5 Download the following pdf from the OCR site (this is an information Security guide for small practices)6 Be aware of your environment! Your Logo
  17. 17. Make Information Security part of what you doBake it into your processes Information Security should always be considered in everything you do. It will help later (during audits) especially if you document your efforts. Your Logo
  18. 18. Questions?THANK YOU! Your Logo